Summary : Infinite loop in Teredo client Date : 02 May 2005 Affected versions : Miredo 0.2.0 to 0.4.2 Miredo-specific : Yes Impact : Remote denial of service CVE ID : N/A ID : MTFL-SA-0501
Parsing by the Teredo client of Router Advertisement normally sent by the Teredo server suffers from insufficient sanity checks. By sending a carefully crafted UDP packet to Miredo’s Teredo service port, it is possible to cause Miredo to read undefined memory and/or to trigger an infinite loop, effectively denying the Teredo client service.
If conditions are met, Miredo will enter an infinite loop and use all remaining CPU cycle (on one processor) until it is killed (killall -KILL miredo). Teredo tunneling will be completely unusable.
As far as is known, this bug cannot be exploited to run arbitrary code remotely.
Exploitation of this bug requires the knowledge of a 64-bits long authentication nonce sent by the Teredo client to the Teredo server. It is hence very unlikely to be caused by third party except in a man-in-the-middle case.
The selected Teredo server MUST be trusted by the client, given the design of the Teredo protocol.
Teredo relays and Teredo servers are unaffected.
Use a trusted Teredo server.
Upgrade to Miredo version 0.4.3.
This bug was discovered internally.